Cant connect to mysql using self signed SSL certificate
After creating a self-signed SSL certificate, I have configured my remote MySQL server to use them (and SSL is enabled)
I ssh into my remote server, and try connecting to its own mysqld using SSL (MySQL server is 5.5.25)..
mysql -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key --ssl-ca=ca.cert
Enter password:
ERROR 2026 (HY000): SSL connection error: error:00000001:lib(0):func(0):reason(1)
Ok, I remember reading theres some problem with connecting to the same server via SSL. So I download the client keys down to my local box, and test from there...
mysql -h <server> -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key --ssl-ca=ca.cert
Enter password:
ERROR 2026 (HY000): SSL connection error
Its unclear what this "SSL connection error" error refers to, but if I omit the -ssl-ca
, then I am able to connect using SSL..
mysql -h <server> -u <user> -p --ssl=1 --ssl-cert=client.cert --ssl-key=client.key
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 37
Server version: 5.5.25 MySQL Community Server (GPL)
However, I believe that this is only encrypting the connection, and not actually verifying the validity of the cert (meaning I would be potentially vulnerable to man-in-middle attack)
The SSL certs are valid (albeit self signed), and do not have a passphrase on them. So my question is, what am I doing wrong? How can I connect via SSL, using a self signed certificate?
MySQL Server version is 5.5.25 and the server and clients are CentOS 5.
Thanks for any advice
Edit: Note that in all cases, the command is being issued from the same directory where the ssl keys reside (hence no absolute path)
Edit (in response to mgorven):
ca.cert
is the Certificate Authority certificate, which is supposed to tell mysql that my certificate authority is trusted.
The config from my.cnf
is
[mysqld]
ssl-ca=/etc/ssl/mysql/ca.cert
ssl-cert=/etc/ssl/mysql/server.cert
ssl-key=/etc/ssl/mysql/server.key
I also tried adding ssl-cipher=DHE-RSA-AES256-SHA
but have since removed it as it didn't help.
Yes, you are correct that if you don't specify --ssl-ca
then the client does not check the server certificate at all. Since it works without that option the most likely reason for the failure is that the client doesn't trust the server certificate.
If you are using self-signed client and server certificates then the ca.cert
file should include both these files. That way the client will trust the server certificate and the server will trust the client certificate.
For example:
Generate the server key and certificate:
$ openssl req -x509 -newkey rsa:1024 \
-keyout server-key-enc.pem -out server-cert.pem \
-subj '/DC=com/DC=example/CN=server' -passout pass:qwerty
$ openssl rsa -in server-key-enc.pem -out server-key.pem \
-passin pass:qwerty -passout pass:
Generate the client key and certificate:
$ openssl req -x509 -newkey rsa:1024 \
-keyout client-key-enc.pem -out client-cert.pem \
-subj '/DC=com/DC=example/CN=client' -passout pass:qwerty
$ openssl rsa -in client-key-enc.pem -out client-key.pem \
-passin pass:qwerty -passout pass:
Combine the client and server certificates into the CA certificates file:
$ cat server-cert.pem client-cert.pem > ca.pem
To use one way ssl, you should try with:
mysql -u <user> -p --ssl=1 --ssl-ca=ca.cert --ssl-verify-server-cert
The --ssl-cert
and --ssl-key
on the mysql client are used for 2 way SSL. This means certificate based authentication. The subject of the client certificate should be the username.
By any chance, have not you entered the same Common Name for server and client certs? If yes, replace one of them so that Common Names are different.